In the 2.2 series kernels, a number of protocol-specific helper
modules are created during kernel compilation. Some protocols begin with
an outgoing request on one port, and then expect an incoming connection on
another. Normally these cannot be masqueraded, as there is no way of associating
the second connection with the first without peering inside the protocols
themselves. The helper modules do just that; they actually look inside the
datagrams and allow masquerading to work for supported protocols that
otherwise would be impossible to masquerade. The supported protocols are:

Module

Protocol

ip_masq_ftp

FTP

ip_masq_irc

IRC

ip_masq_raudio

RealAudio

ip_masq_cuseeme

CU-See-Me

ip_masq_vdolive

For VDO Live

ip_masq_quake

IdSoftware's Quake

You must load these modules manually using the insmod
command to implement them. Note that these modules cannot be loaded using
the kerneld daemon. Each of the modules takes an argument
specifying what ports it will listen on. For the
RealAudio™ module you might use:[1]

# insmod ip_masq_raudio.o ports=7070,7071,7072

The ports you need to specify depend on the protocol. An IP masquerade
mini-HOWTO written by Ambrose Au explains more about the IP masquerade modules
and how to configure them.[2]

The netfilter package includes modules that perform
similar functions. For example, to provide connection tracking of FTP
sessions, you'd load and use the ip_conntrack_ ftp and
ip_nat_ ftp.o modules.